Hi Craig,
I would think, in general, that the Request is intended to be for "read"
AND "write", although I do not believe that it is necessary to imply
this, since the xacml spec does not address it directly, afaik. However,
from a purely logistical plain language point of view, I would assume
that this was a Request for a Decision to allow the subject to read
and/or write to the resource.
All XACML does is answer the question, it does not in general, know
"how" the subject is going to use the results of the Decision, so I
would assume a conservative Policy would look at the "worst" case
scenario and be designed to process that worst case and give maximum
protection. i.e. the Policy should assume the Subject will use the
Decision to do anything possible based on the contents of the Request.
Some systems might be designed so that every Request is a one shot deal
where the Subject makes the Request, uses it once, then if the Subject
wants to use the Resource again, then the Subject would have to make
another Request. Other systems might take more of a "session"
perspective and allow the Subject to use the Decision for any number of
actions while the presumably "application-controlled session" is still
in progress.
My understanding is that XACML was designed to be as flexible as
possible, and so I do not believe either interpretation in prev
paragraph is the "correct" one. I think either is equally as good.
But, in any event, the reason for my original question is that it was
suggested to me that multiple <Attribute
AttributeId="...action:action-id"> elements were not allowed in XACML.
That did not sound correct to me technically, based on what I said in
the original email, and if I then take the assumption that technically
it is allowed, I find nothing particularly wrong with it from a common
sense Policy design perspective either.
I do want, however, to unambiguously say that it is allowed, so that the
people who asked me about it can feel comfortable moving ahead doing
design on that basis. So, if there is any restriction somewhere that is
normative in nature or would cause anyone to say it is not allowed it
would be useful to know. I may even suggest some text to add to the spec
to remove any possible ambiguity in this matter. For example, in section
6.3 there is text that to me unambiguously indicates that resource-id
can have multiple values in a single Request. Also in the RSA Interop,
the HL7 permission-id attribute had multiple instances. I am sure each
of these has their own justification, however, the point is that there
is no justification to dis-allow any of this behavior, which is the
definitive result I am looking to get at here.
Thanks,
Rich
Craig Forster wrote:
> Hi all,
>
> I don't think it's disallowed explicitly, but writing policy to handle it
> well would be difficult.
>
> For example, say the policy has Permit for "read" but no policy allowing
> "write" (but not Deny either). The request, IMO, is asking "can I read AND
> write this resource?". Should the request be permitted? The policy would
> return Permit, even though it really should return NotApplicable.
>
> The provisions to handle multiple Resources as separate requests are for
> this type of scenario.
>
> Thoughts?
>
> Regards,
> Craig
>
> ---
> craig forster | staff software engineer
> ibm australia development labs
>
>
>
>
> From: Erik Rissanen <erik@axiomatics.com>
>
> To: "Rich.Levinson" <rich.levinson@oracle.com>
>
> Cc: xacml <xacml@lists.oasis-open.org>
>
> Date: 18/09/2008 03:19
>
> Subject: Re: [xacml] Question on xacml 2.0 - multiple action-id Request/Action elements
>
>
>
>
>
>
> I don't recall anything in the standard which disallows it. Anyone else?
>
> And I don't see any reason for disallowing it either.
>
> /Erik
>
> Rich.Levinson wrote:
>
>> I have been asked whether a Request/Action element can
>> contain more than one <Attribute AttributeId="...action:action-id">
>> element:
>>
>> For example, what would be wrong with Example 4.1.2 having
>> the following:
>>
>> <Action>
>> <Attribute
>> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
>> DataType="http://www.w3.org/2001/XMLSchema#string&quot;>
>> <AttributeValue>read</AttributeValue>
>> <AttributeValue>write</AttributeValue>
>> </Attribute>
>> </Action>
>>
>> Apparently, some have the opinion this is not
>> allowed. I think that opinion is mistaken, because I have not found
>> any reason that this is disallowed. Is there anything that forces
>> us to only have one value for action-id?
>>
>> Thanks,
>> Rich
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail. Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail. Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
>
>
>
>